security: pin CDN versions + add SRI integrity hashes#1
Merged
Conversation
React 18 and Babel standalone were loaded from unpkg.com with no integrity attribute and floating version tags (@18, no patch pin). A CDN compromise or version flip would silently execute attacker code with access to the user's YouTube API key stored in localStorage. Changes: - Pin React and ReactDOM to 18.3.1 (latest 18.x) - Pin @babel/standalone to 7.29.7 (latest) - Add sha384 integrity= + crossorigin=anonymous to all three - Add comment on cdn.tailwindcss.com: the JIT Play CDN cannot carry SRI (dynamic response); a future improvement would be switching to a static pre-built tailwind.css SRI hashes verified against the unpkg-served files at these exact versions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this fixes
The three CDN
<script>tags inindex.htmlload React, ReactDOM, and Babel Standalone fromunpkg.comwith:integrity=attribute (no SRI protection)@18, no patch pin) — a version bump on unpkg could silently change the code being servedIf unpkg.com were compromised, or if a new semver-compatible version introduced malicious code, every visitor's browser would execute it with full access to their YouTube API key stored in
localStorage.Changes
react@18(unpinned, no SRI)react@18.3.1+sha384-...react-dom@18(unpinned, no SRI)react-dom@18.3.1+sha384-...@babel/standalone(unpinned, no SRI)@babel/standalone@7.29.7+sha384-...Tailwind CDN note:
cdn.tailwindcss.comis the JIT/Play CDN — it generates CSS dynamically based on the page's class names and cannot carry a fixed SRI hash. A future hardening step would switch to a static pre-builttailwind.css, which would also unlock a properContent-Security-Policyheader. Left as-is here to keep this PR minimal/non-breaking.SRI hash verification
Hashes computed from the live unpkg responses at the pinned versions:
Verify with:
curl -sf <url> | openssl dgst -sha384 -binary | openssl base64 -AThis change was identified while hardening the Falcon Technix community mirror at nbvs.falcontechnix.com. Submitting back upstream so users of the original tool benefit too.